Just before Christmas, the powers that be in Brussels emerged from their coffee-fuelled bunker after 6 months of discussion to announce that the trilogue negotiations for a new General Data Protection Regulation between the Parliament, Commission and Council had concluded. In principle, this means that a revised Data Protection Regulation text has been agreed, over 6 years after the idea was initially proposed. The full version still needs to be ratified by Parliament (not a straightforward process by any means) and in reality, there are a number of steps to be completed but there is no doubt that for the future of marketing and the use of personal data, this is a significant development. Overall, it appears that a more business friendly version of the text has been agreed than previously thought – which is better news for the direct marketing industry.
The main points to consider in terms of how this may affect direct marketing activity are detailed as follows:
This has been a key focus of the discussions and is central to direct marketing. Under the agreed text, consent needs to be ‘unambiguous’ rather than ‘explicit’, which was a stricter definition. Crucially, under unambiguous consent, marketing permission for direct mail and telephone marketing can still be gained on an ‘opt-out’ or an ‘unsubscribe’ basis.
That said, the general rules on marketing permissions including the wording, where it is placed and how clear it needs to be to the consumer will be tightened up. According to the DMA, “days when consent could be buried in lengthy terms and conditions are numbered”.
2. Legitimate Interest
As a term, this refers to the legal reasons behind data processing. The agreed text acknowledges that the processing of personal data for marketing purposes can be carried out as a legitimate interest although an organisation would need to ensure that it can illustrate good cause to be able to rely on the legitimate interest angle. Many marketers will use legitimate interest as grounds for processing personal information if they are using the opt-out/unsubscribe data collection method
3. Definition of Personal Data
Personal data is any information that can relate to someone who can be identified directly or indirectly, specifically referenced by name, ID number, location data or online identifier. It was initially thought that the legislation would deem all online identifiers, including Cookies, as personal data which would have made online behavioural tracking extremely prohibitive for marketing. However, the agreed text states that, only Cookies placed by an Internet Provider, which can be linked back to an email address and therefore used to identify an individual, are deemed as personal data. Cookies placed by advertisers, which cannot be linked back to anything that can identify the individual, are unlikely to be classified as personal data – essentially, a sensible compromise.
4. Right to object
Individuals will have the right to object to any processing of personal information, including profiling at any time, without incurring a fee. If they object, you can no longer use their information for marketing purposes. While legitimate interest will be used by many marketers as grounds for processing data, the opportunity to opt-out must be brought to the attention of the individual in the first communication and be more obviously stated than maybe many organisations currently do so.
Under previous versions of the text, there was a risk that individuals would have to give explicit consent or opt in for their information to be used profiling but the agreed text states that individuals can opt-out of profiling if they wish. However, they have no right to opt-out of profiling if they have already explicitly consented to it.
Overall, the new General Data Protection Regulation will enable individuals to have better control over the use of their data but at the same time, is seen as a strong compromise to allow businesses to make the most of advertising opportunities in the digital market. Earlier versions of the proposals were seen to be extremely prohibitive for many businesses and there are still several things to be wary of; for a breach of the new legislation, firms could be fined up to 4% of global turnover and there may also be a requirement to employ a data compliance officer for companies using or processing personal data.
The Civil Liberties Committee of the EU parliament approved the regulation on 17th December 2015. The next step is for the Regulation to be put to a vote in the EU parliament and separately by the EU Council of Ministers early in 2016. Once passed, and assuming it’s agreed in its current form, it will be introduced into the law of all 28 member states 2 years from then (around Q2 2018).